Dark Caracal

Dark Caracal is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. ^[1]

ID: G0070

Version: 1.4

Created: 17 October 2018

Last Modified: 11 April 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1005		从本地系统获取数据	Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.^[1]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	Dark Caracal's version of Bandook adds a registry key to `HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.^[1]
Enterprise	T1059	.003	命令与脚本解释器: Windows Command Shell	Dark Caracal has used macros in Word documents that would download a second stage if executed.^[1]
Enterprise	T1113		屏幕捕获	Dark Caracal took screenshots using their Windows malware.^[1]
Enterprise	T1071	.001	应用层协议: Web Protocols	Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string "&&&".^[1]
Enterprise	T1083		文件和目录发现	Dark Caracal collected file listings of all default Windows directories.^[1]
Enterprise	T1189		浏览器攻击	Dark Caracal leveraged a watering hole to serve up malicious code.^[1]
Enterprise	T1027	.002	混淆文件或信息: Software Packing	Dark Caracal has used UPX to pack Bandook.^[1]
		.013	混淆文件或信息: Encrypted/Encoded File	Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.^[1]
Enterprise	T1204	.002	用户执行: Malicious File	Dark Caracal makes their malware look like Flash Player, Office, or PDF documents in order to entice a user to click on it.^[1]
Enterprise	T1218	.001	系统二进制代理执行: Compiled HTML File	Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.^[1]
Enterprise	T1566	.003	钓鱼: Spearphishing via Service	Dark Caracal spearphished victims via Facebook and Whatsapp.^[1]
Mobile	T1437	.001	Application Layer Protocol: Web Protocols	Dark Caracal controls implants using standard HTTP communication.^[1]

Software

ID	Name	References	Techniques
S0234	Bandook	^[1]^[2]	从本地系统获取数据, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: Python, 外围设备发现, 屏幕捕获, 文件和目录发现, 本机API, 混淆文件或信息: Steganography, 用户执行: Malicious File, 移除指标: File Deletion, 系统信息发现, 系统网络配置发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程注入: Process Hollowing, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 非应用层协议, 音频捕获, 颠覆信任控制: Code Signing
S0235	CrossRAT	^[1]	创建或修改系统进程: Launch Agent, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: XDG Autostart Entries, 屏幕捕获, 文件和目录发现
S0182	FinFisher	^[1]	Audio Capture, Exploitation for Privilege Escalation, Location Tracking, Protected User Data: Call Log, Protected User Data: SMS Messages, 伪装: Match Legitimate Name or Location, 创建或修改系统进程: Windows Service, 劫持执行流: DLL Search Order Hijacking, 劫持执行流: DLL Side-Loading, 劫持执行流: KernelCallbackTable, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 屏幕捕获, 文件和目录发现, 查询注册表, 混淆文件或信息: Software Packing, 混淆文件或信息: Binary Padding, 混淆文件或信息, 滥用权限提升控制机制: Bypass User Account Control, 移除指标: Clear Windows Event Logs, 系统信息发现, 虚拟化/沙盒规避: System Checks, 访问令牌操控: Token Impersonation/Theft, 软件发现: Security Software Discovery, 输入捕获: Credential API Hooking, 进程发现, 进程注入: Dynamic-link Library Injection, 预操作系统引导: Bootkit
S0399	Pallas	^[1]	Audio Capture, Exfiltration Over C2 Channel, Indicator Removal on Host: File Deletion, Input Capture: GUI Input Capture, Location Tracking, Obfuscated Files or Information, Protected User Data: Call Log, Protected User Data: Contact List, Protected User Data: SMS Messages, Software Discovery, Stored Application Data, System Information Discovery, System Network Connections Discovery, Video Capture

References

Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.

Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.